MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hancitor


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067
SHA3-384 hash: 14d80b2dc6e05cd0e1e99742c16fae16354b7d3c7efbac60e877af9c813ba28a6e7df927a5f9f738288a86b88e6bff35
SHA1 hash: ce07f59eca5bd8ee109096875f8a6b61f5aa2980
MD5 hash: 83ba2586ea176dfb069ec4bf49439d94
humanhash: carbon-vermont-mars-carpet
File name:xls.png.exe
Download: download sample
Signature Hancitor
Create hunting rule
File size:690'008 bytes
First seen:2020-10-20 16:31:35 UTC
Last seen:2020-11-03 07:52:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 01a5ffcac94ee9613d1e6e5efa5c3e90 (6 x Hancitor)
ssdeep 1536:0p7C6+C85lL+gHgTNJdJsdyZNKTd/fuzEsFqOS7QRLsXznayUjS9a95FaDektxi/:0p7E5xiZJLZNGA/Fqz7iLsXvBPxm1J
Threatray 12 similar samples on MalwareBazaar
TLSH 9EE485697B80E052C9544A3D8E06FAF854B3BC40EC7216F736D03F8FF9655A0EB29259
Reporter James_inthe_box
Tags:exe Hancitor

Code Signing Certificate

Organisation:RMNEYKSDMXUIOMBUHC
Issuer:RMNEYKSDMXUIOMBUHC
Algorithm:sha1WithRSA
Valid from:Oct 20 04:15:33 2020 GMT
Valid to:Dec 31 23:59:59 2039 GMT
Serial number: 05D012E9FA909B984B8BC617C4EE1588
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 58DC1C18F21B24A74BF2278989D15BEF9E5C39D71B2BB3A3D2F26A81DDF6903D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73582/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Sending a UDP request
Creating a process from a recently created file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/498524
Signature
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067/
Threat name:
Win32.Trojan.MintZamg
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 16:30:44 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gf4zxflrnkx632hog5b4bi4xnjbwp47hvskgxz72wum2kc35ybtq._file
Verdict:
malicious
Similar samples:
12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
Hancitor
a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0
Hancitor
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Hancitor
c8014126255b80593651f5fe1e69e069147866498dbb78129f775d76a0fa8682
Hancitor
c9b2ba6f4adb6aa4bb3c15e92d6b51eaaa5c1efa14ad774be125d4d47fae7fb4
Hancitor
d0bf046a77dccc79cfd0f254f43684e6b7475c69baeb7412c0a55cb54c8023e8
Hancitor
e52d446a99ecb9ca9f18365bab6f30e2cc1f6a97f668ea6ac38ce2a9b9ae3784
Hancitor
e892dbc4036d53ede078f61452515f549d8bac9a471adff6c3a9bad0b99965d2
Hancitor
ee3f6c3fe59b1f5925699e91f49ea5439c0daae112173a303d2c25dd36a42b35
Hancitor
f4427ef6b665bf0563f23fde314caf9f905ab1e049fc5c0b33384d526ec3cbf1
Hancitor
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201020-wfljxnhv8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067
MD5 hash:
83ba2586ea176dfb069ec4bf49439d94
SHA1 hash:
ce07f59eca5bd8ee109096875f8a6b61f5aa2980
Link:
https://www.unpac.me/results/0d3e3771-80a4-4143-b576-6a585ca620f9/
SH256 hash:
0de13271ad1e296267e9f38d86e66f5ff1e1b0345ff1480f8832ba34b57a1568
MD5 hash:
a9b887184d59d0ef474c825e84a1adcc
SHA1 hash:
81d64600c6ab66444bd6decb833fdb846d0e04d4
Link:
https://www.unpac.me/results/0d3e3771-80a4-4143-b576-6a585ca620f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31799b95716aafede8ee3743c0a3976a4367f3e7ac946be7fab519a50b7dc067

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/73582/

Comments